4

Reddit just revealed that they experienced a security breach as a result of an intercepted SMS based 2FA. Another post on SMS 2FA refers to flaw in the telecom’s ss7 protocol that was used to perform the breach.

I’m not sure if the Reddit incident involved the ss7 technique or some sort of spear phishing to get some malicious code installed on the device that received the SMS. However if an intercept was used I would have expected the original device to have received the message and the owner realizing they didn’t request it and alert their company’s security team. That being said, would the hackers have been able to block the legitimate device from getting their request for an SMS 2FA or would they have had to wait for the target to request one and just try to beat them to the login?

Improve this question

1 Answer 1

Reset to default
2

It's not clear from the article if the attacker intercepted the SMS code or if he just found a way to bypass it. I think we can't really say what happened without more details.

However take a look at the "Ghost Telephonist" attack shown at Black Hat USA 2017, which is just a real world example of how an attacker could intercept a call or an SMS without forwarding it to the end user.

Also keep in mind that not every user take action when they receives a 2FA code: people could think "someone got my password but 2FA stopped them from logging in" and ignore what happened.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .